SAP Authorizations Temporarily disable Central User Management - SAP Admin

Direkt zum Seiteninhalt
Temporarily disable Central User Management
A complicated role construct
Are you already using BAPIs in user care? For example, you can use them to set up a password reset self service. We show you how to do this and what you need to pay attention to. Especially with large system landscapes and systems that are only sporadically used, users often forget their password. Strengthened password rules (e.g. to change a password regularly or to require certain character types to be used), which are supposed to serve security, do their part. Forgotten passwords and the frequently resulting user locks are unfortunately often lost to the user when access to a system is most needed. Unlocking a user and assigning a new password is rarely done in real time, even with large 24-hour support service departments. This problem, which I am sure you are familiar with, does not exactly promote employee satisfaction and productivity. A self-service that uses the Business Application Programming Interfaces (BAPIs) can counteract this.

Critical permissions are permissions that allow you to view or modify security-related configurations in the SAP system, or perform activities that are critical from a legal or business perspective. This also includes access to sensitive data, which are e.g. personal. Critical permissions are really critical in themselves and pose a risk only if they get into the wrong hands. In any case, when using critical permissions, you should observe the principle of restricting rights. There are no general definitions of risk; Therefore, each company should define the compliance requirements for itself. Identifying critical SAP permissions is an important task and should be performed in every company. Particular attention should be paid not only to the award of transactions but also to the value characteristics of each of the eligible objects. It is important to mention that preventive regular inspections do not have to be burdensome. However, they will lead to greater transparency and security.
View system modifiability settings
The filter setting in transaction SM19 determines which events should be logged. In addition, you must activate the Security Audit Log via the profile parameters in the transaction RZ11 and make technical settings. For an overview of the profile parameters for the Security Audit Log, see the following table. The values specified in the table are a suggestion, but not the default values. The Security Audit Log is not fully configured until both the profile parameters and an active filter profile have been maintained. Note that the Security Audit Log has two configuration options: static and dynamic configuration. Static configuration stores filter settings persistent in the database; they are only applied on a system boot. The filter settings are used as the current configuration for each subsequent startup and should therefore always be maintained. The dynamic configuration allows you to change the settings in the running mode. The dynamic configuration is used when settings need to be adjusted temporarily. Here you can change all filter settings, but not the number of existing filters. Dynamic configuration will remain active until the next boot.

Create a message to be displayed to the user when permissions checks fail. The tests in this User-Exit are relatively free. This allows you to read table entries, store data from the ABAP application's memory, or read data that is already there. However, you are limited by the interface parameters of the application. In our example, these are the BKPF and BSEG structures and the system variables. If the information from the interface parameters is not sufficient for the test, you can use your programming skills and knowledge about the interdependencies of substitution and validation in finance to find additional data. The following coding allows you to identify the selected offset document entries that you can find in the POSTAB table (with the RFOPS structure) in the SAPMF05A programme. This way you can find many additional data. It is important that the supporting programme processes the User-Exits.

However, if your Identity Management system is currently not available or the approval path is interrupted, you can still assign urgently needed authorizations with "Shortcut for SAP systems".

Some useful tips about SAP basis can be found on

However, this is particularly relevant for tax audits.

To store all the information on the subject of SAP - and others - in a knowledge database, Scribble Papers is suitable.

For example, during the tests to be performed, both the development system and the quality assurance system will experience permission errors.
Zurück zum Seiteninhalt